Chrome Preferences

Overview

Chrome stores user preferences in two JSON files within each profile directory: Preferences (general settings) and Secure Preferences (tamper-protected settings). These files contain a wide range of configuration data including the default search engine, homepage, download directory, startup behaviour, installed extension settings, sync status, and the Chrome version that created the profile.

Preferences are forensically relevant because they reveal user intent and configuration choices. A changed default search engine, unusual startup URLs, disabled security features, or non-default download directories can all be indicators of compromise or relevant user behaviour.

File Locations

Database Schema / File Format

Both files are JSON documents. The Preferences file is a large nested object with sections for different feature areas. Key sections include:

{
    "browser": {
        "enabled_labs_experiments": ["flag-name@1"],
        "window_placement": { ... }
    },
    "default_search_provider": {
        "enabled": true,
        "name": "Google",
        "search_url": "{google:baseURL}search?q={searchTerms}&..."
    },
    "download": {
        "default_directory": "/Users/admin/Downloads",
        "prompt_for_download": false
    },
    "homepage": "https://www.google.com",
    "homepage_is_newtabpage": true,
    "profile": {
        "avatar_index": 0,
        "created_by_version": "120.0.6099.129",
        "creation_time": "13345678901234567",
        "local_profile_id": "abc123",
        "name": "Person 1"
    },
    "session": {
        "restore_on_startup": 1,
        "startup_urls": ["https://example.com"]
    },
    "sync": {
        "has_setup_completed": true
    },
    "extensions": { ... },
    "content_settings": { ... },
    "safe_browsing": { ... },
    "account_info": [ ... ]
}

Key Fields for Analysis

Search Engine Configuration

• default_search_provider.name: The name of the default search engine. Changes from the default (Google) may indicate adware or user preference.
• default_search_provider.search_url: The URL template used for searches. Hijacked search engines use custom URLs to redirect queries.

Homepage and Startup

• homepage: The configured homepage URL. A non-standard homepage may indicate browser hijacking.
• homepage_is_newtabpage: Whether the homepage is the new tab page (true) or a custom URL (false).
• session.restore_on_startup: Controls what happens when Chrome starts.

• session.startup_urls: URLs to open on startup when restore_on_startup is 4. Malware sometimes adds URLs here.

Download Configuration

• download.default_directory: Where downloads are saved by default. Non-standard locations (e.g., /tmp, external drives) may be significant.
• download.prompt_for_download: Whether Chrome asks where to save each download.

Profile Metadata

• profile.created_by_version: The Chrome version that first created this profile. Useful for determining how long a profile has been in use.
• profile.creation_time: When the profile was created (WebKit timestamp as string).
• profile.name: The user-visible profile name.
• profile.local_profile_id: A local identifier for the profile.

Chrome Experiments

• browser.enabled_labs_experiments: A list of enabled Chrome flags (from chrome://flags). Certain enabled experiments may indicate advanced user behaviour or deliberate security modifications.

Sync Configuration

• sync.has_setup_completed: Whether Chrome sync has been configured. If true, data may be synchronised across devices.

Account Information

• account_info: An array of Google accounts associated with the profile, potentially including email addresses and account IDs.

Timestamps

Analysis Notes

• The Secure Preferences file contains the same data as Preferences but with HMAC signatures to detect tampering. If Chrome detects that Secure Preferences has been modified outside of Chrome, it may reset certain settings. The presence of HMAC mismatches could indicate manual configuration changes.
• A default_search_provider that does not match common search engines (Google, Bing, DuckDuckGo, Yahoo) may indicate adware or a browser hijacker that redirects searches.
• The extensions section within preferences contains additional extension configuration, including which extensions are enabled/disabled and their individual settings.
• The content_settings section controls per-site permissions (notifications, camera, microphone, location, etc.) and can reveal which sites the user has granted sensitive permissions to.
• The safe_browsing section indicates whether Safe Browsing is enabled. A disabled Safe Browsing feature may be the result of malware attempting to avoid detection.
• enabled_labs_experiments can reveal if the user has disabled security features or enabled experimental capabilities through chrome://flags.
• The profile.created_by_version field is set when the profile is first created and never updated, providing a historical reference point.

Version Differences

The Preferences JSON format evolves with each Chrome version as new features are added. Chrome is backward-compatible, ignoring unknown keys. Key additions over time:

macfor extracts a consistent set of forensically relevant fields regardless of Chrome version, ignoring version-specific additions that are not relevant to forensic analysis.

Tool Support

References

• Chromium Preferences Source
• Chromium Secure Preferences
• Chrome Flags (experiments)